Collaboration Will Solve Security Woes, HackerOne CEO Says
Marten Mickos, CEO of bug bounty platform HackerOne, said the Equifax breach may be a blessing in disguise, not only for organizations that rely heavily on software for their day-to-day operations but for consumers who trust their data to such firms.
Speaking at the Structure Security event in San Francisco, Mickos said the hack of the credit reporting company that may have resulted in the personal information of more than 143 million American consumers being stolen should serve as a wake up call to companies that "any single vulnerability" can damage your entire business.
"It's my life philosophy that you never lose,” Mickos said. “You win or your learn. When you look at all the terrible things that happened in the Equifax data breach and you realize that innocent people suffered and it was the result of a vulnerability, there must be some bigger picture benefit of this."
It’s well known at this point that the Equifax breach was the result of a known vulnerability in a web application called Apache Struts that had a patch available for months prior to when the breach occurred. Mickos said that is unacceptable for a company that operates primarily based on the data it has collected to not take the proper steps to secure that data.
"No matter how difficult the problem is, there is absolutely no excuse for a company sitting with 143 million credit card numbers not to double check,” Mickos said. “If you choose such a business model, you choose to raise the bar on security and you must do it."
However, the HackerOne CEO did note that organizations like Equifax have it tough because they are running legacy systems and use dozens if not hundreds of different applications that interact with one another, and asking a security team to stay on top of all of those moving parts can be next to impossible.
"You build a website and you're using something that is using something that is using something that is using something. And even if you know the chain, you also have to know the exact version number for each of them," he said.
Add to that the thousands of lines of legacy code that may have been coded long ago by a person no longer at the company and you’re left with a security infrastructure that looks like a Jenga tower ready to tip over if you make the wrong move.
That is where information sharing comes in. In the eyes of Mickos, organizations need to get better about opening up to outside help, be it from white hat hackers who spot a vulnerability in their systems and want to disclose it or other members of the same industry who want to work together to create a safer software experience.
Mickos pointed to a recent release from the United States Department of Justice provides the guidelines for ethical disclosure of a vulnerability, which advise organization to simply set up an email address, such as “security@[organization]”, that anyone can easily contact.
The second step is actually making use of that form of contact—something that many organizations fail to do.
For example, when a major vulnerability in Bluetooth was discovered earlier this year, the researchers who discovered it attempted to contact Samsung to inform them how it affected the company’s Tizen operating system. Those efforts to contact the company were ignored and Tizen was left exposed until the researchers went public with the information.
That practice is unfortunately widespread. Mickos said his company studied the top 2,000 companies in U.S. and found only six percent of them had a system for receiving and confirming receipt of vulnerability disclosures.
Mickos also said that software companies would do well to take a look at the automotive industry and how car manufacturers have managed to improve vehicle safety. He said those companies, despite competing with one another, often share safety information to ensure call cars are as safe as possible and provide protection for drivers and passengers. "We haven't learned this in software," he said.
Sharing information like that is key for the future of security in Mickos’ estimation, and a practice organizations need to open up to if they want to continue operating how they have, holding tons of vital personal information from consumers.
"If you want to serve customers 24 hours a day, then you are implicitly saying we are responsible for security 24 hours a day," he said.
© Copyright IBTimes 2024. All rights reserved.